Implementing Azure Virtual Desktop in the enterprise

Hands-on lab step-by-step guide

September 2021

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents

Implementing Azure Virtual Desktop for the enterprise hands-on lab step-by-step

Implementing Azure Virtual Desktop for the enterprise hands-on lab step-by-step

Abstract and learning objectives

In this hands-on lab, you will implement an Azure Virtual Desktop (formerly Windows Virtual Desktop) Infrastructure and learn how-to setup a working AVD environment end-to-end in a typical Enterprise model. At the end of the lab, attendees will have deployed an Azure Active Directory Tenant with Azure AD Connect to an Active Directory Domain Controller that is running in Azure. You will also deploy the Azure infrastructure for the Azure Virtual Desktop Tenant(s), Host Pool(s) and session host(s), and connect to an AVD session utilizing different supported devices and browsers. You will publish desktops and remote apps, and configure user profiles and file shares with FSLogix. Finally, you will configure monitoring and security for the Azure Virtual Desktop infrastructure and understand the steps to manage the gold images.

Overview

In this lab, attendees will deploy the Azure Virtual Desktop (AVD) solution. Exclusively available as an Azure cloud service, Azure Virtual Desktop allows you to choose a flexible end user virtualized application or desktop delivery model that best aligns with your enterprise Azure cloud strategy. AVD simplifies the IT model to virtualize and deploy modern and legacy desktop app experiences with unified management without needing to host, install, configure, and manage components such as diagnostics, networking, connection brokering, and gateway. AVD brings together Microsoft Office 365 and Azure to provide users with the only multi-session Windows 10 experience with exceptional scale and reduced IT costs while empowering today's modern digital workspace.

Solution architecture

This diagram shows an Azure Virtual Desktop architecture with on-premises servers for Active Directory. In the diagram, the host pools are providing the AVD session to the different supported devices. Azure Monitor, Network Watcher, and Log Analytics are monitoring and logging activity and performance metrics.

Requirements

Before you start setting up your Azure Virtual Desktop workspace, make sure you have the following items:

The Azure Active Directory tenant ID for Azure Virtual Desktop users.
A global administrator account within the Azure Active Directory tenant.
- This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop workspace for their customers. When you are in a CSP organization, you must be able to sign in as global administrator of the customer's Azure Active Directory tenant.
- The administrator account must be sourced from the Azure Active Directory tenant in which you are trying to create the Azure Virtual Desktop workspace. This process does not support Azure Active Directory B2B (guest) accounts.
- The administrator account must be a work or school account.
An Azure subscription.
- Enough Quota Cores to build four 4-core servers.
- Access to the Azure Active Directory Global Admin account for your new or existing Azure Active Directory Tenant.
- Owner rights on all Azure subscription(s).

Before the hands-on lab

Refer to the Before the hands-on lab setup guide before continuing to the lab exercises.
Make sure to keep track of what user accounts you are using and where you are using them.
Regions and locations, make sure to stay consistent as much as possible.

Troubleshooting

When you run into issues with your Azure Virtual Desktop (AVD) environment, there will periodically be troubleshooting tips at the end of the current exercise. If the issues are not directly addressed, please feel free to reach out to your instructor or teacher.

Review the article, Troubleshooting overview, feedback, and support for Azure Virtual Desktop. Part of the article will cover steps used in Exercise 8 and can help diagnose issues you may encounter.

Exercise 1: Configuring Azure AD Connect with AD DS

Duration: 60 minutes

In this exercise, you will be configuring Azure AD Connect. With Azure Virtual Desktop, all session host VMs within the AVD tenant environment are required to be domain joined to AD DS, and the domain must be synchronized with Azure AD. To manage the synchronization of objects, you will configure Azure AD Connect on the domain controller deployed in Azure.

Note: RDP access to a domain controller using a public IP address is not a best practice and is only done to simplify this lab. Better security practices such as removing the PIP, enabling just-in-time access and/or leveraging a bastion host should be applied enhance security.

Additional Resources


Description	Links
Azure Virtual Desktop (ARM-based model) deployment walk through	https://www.christiaanbrinkhoff.com/2020/05/01/windows-virtual-desktop-technical-2020-spring-update-arm-based-model-deployment-walkthrough/#NewAzurePortal-Dashboard

Task 1: Connecting to the domain controller

Sign in to the Azure Portal.
Type Resource groups in the search field and select it from the list.
On the Resource groups blade, select the resource group name that you created in the Before the HOL template deployment.
On the Infra Resource group blade, review the list of available resources. Locate the resource named AdPubIP1 and select it. Note that the resource type should be Public IP address.
On the Overview page for AdPubIP1, locate the IP address field. Copy the IP address to a safe location.
On your local machine, open the RUN dialog window, type MSTSC and enter.
In the Remote Desktop Connection window, paste in the public IP address from the previous step. Select Connect.
When prompted, sign in with the AD domain UPN credentials. For example, when you used the ARM template from Before HOL setup guide, the credentials will be something along the lines of: adadmin@MyADDomain.com with the password: AVD@zureL@b2019!. If prompted, select Yes to accept the RDP certification warning.

Note: This is the Active Directory account from the ARM template, not the Azure AD Global Admin account. when you have trouble signing in, try typing the credentials in manually, as copy and paste may include an unnecessary space, which will cause authentication to fail.

Task 2: Disabling IE Enhanced Security

To simplify tasks in this lab, we will start by disabling IE Enhanced Security.

Once connected to the domain controller, open Server Manager if it does not start automatically.
In Server Manager, select Local Server on the left.
Locate the IE Enhanced Security Configuration option and select On.
On the Internet Explorer Enhanced Security Configuration window, under Administrators, select the Off radio button and select OK.

Task 3: Creating a domain admin account

By default, Azure AD Connect does not synchronize the built-in domain administrator account ADAdmin@MyADDomain.com. This system account has the attribute isCriticalSystemObject set to true, preventing it from being synchronized. While it is possible to modify this, it is not a best practice to do so.

In Server Manager, select Tools in the upper right corner and select Active Directory Users and Computers.
In Active Directory Users and Computers, right-click the Users organization unit and select New > User from the menu.
Complete the New User wizard.

Note: This account will be important in future tasks. Make a note of the username and password you create. When setting the password, uncheck the box User must change password at next logon.
In Active Directory Users and Computers, right-click on the new user account object and select Add to a group.
On the Select Groups dialog window, type Domain Admins and select OK.

Note: This account will be used during the host pool creation process for joining the hosts to the domain. Granting Domain Admin permissions will simplify the lab. However, any Active Directory account that has the following permissions will suffice. This can be done using Active Directory Delegate Control.

Task 4: Configuring Azure AD Connect

On the desktop of the domain controller, locate the icon for Azure AD Connect and open it.

Note: The installation of Azure AD Connect may fail if the server has not been updated to enable TLS 1.2. If this is the case, run the following PowerShell script to enable and then re-open Azure AD Connect.

New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'

Accept the license terms and privacy notice, then select continue. On the next screen select Use express settings. The required components will install.
On the Connect to Azure AD page, enter in the Azure AD Global Admin credentials. For example: azadmin@MyAADdomain.onmicrosoft.com and the correct password. Select Next.

Note: This is the account associated with your Azure subscription.
On the Connect to AD DS page, enter in the Active Directory credentials for a Domain Admin account. For example, when you used the ARM template deployment for the domain controller, the credentials will be something along the lines of: [MyADDomain.com] \ADadmin with the password: AVD@zureL@b2019!. Select Next.

Note: When you copy and paste the password, make sure there are no trailing spaces, as that will cause the verification to fail.
Select Install to start the configuration and synchronization.
After a few minutes, the Azure AD Connect installation will complete. Select Exit.
Minimize the RDP session for the domain controller and wait a few minutes for the AD accounts to be synchronized to Azure AD.
Sign in to the Azure Portal.
Type Azure Active Directory in the search field and select it from the list.
On the Azure Active Directory blade, under Manage, select Users.
Review the list of user account objects and confirm the test accounts have synchronized.

Note: It can take up to 15 minutes for the Active Directory objects to be synchronized to the Azure AD tenant.

Exercise 2: Create Azure AD groups for AVD

Duration: 30 minutes

In this exercise, you will be working with groups in Azure Active Directory (Azure AD) to assist in managing access assignment to your application groups in AVD. The new ARM portal for AVD supports access assignment using Azure AD groups. This capability greatly simplifies access management. Groups will also be leveraged in this guide to manage share permissions in Azure Files for FSLogix.

You will be creating three Azure AD groups to manage access to the different application groups: Personal, Pooled, and RemoteApp. For this guide we will only create a single group for RemoteApps, but in a production scenario it is more common to use separate groups based on the app or persona defined by the customer. Be sure to make note of the groups you create, as they will be used in later exercises.

It is also important to keep in mind that these groups can also originate from the Windows Active Directory environment and synchronize via Azure AD Connect. This will be another common scenario for customers that already have processes defined on-premises for group management.

Additional Resources


Description	Links
Create a basic group and add members in Azure AD	https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal
Azure AD Connect sync	https://docs.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-user-and-contacts

Task 1: Creating Azure AD groups

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type Azure Active Directory. Select Azure Active Directory from the list.
On the Azure Active Directory page, select Groups on the left and select + New group.
On the New Group page, fill in the following options and select Create.
- Group type: Security
- Group name: AVD Pooled Desktop User
- Membership type: Assigned
Select + New group again, fill in the following options and select Create.
- Group type: Security
- Group name: AVD Remote App All Users
- Membership type: Assigned
Select + New group again, fill in the following options and select Create.
- Group type: Security
- Group name: AVD Persistent Desktop User
- Membership type: Assigned
Confirm that the groups have been added by going to Azure Active Directory, selecting Groups. Scroll down to the bottom of the list of groups and the three groups that you created should be listed.

Task 2: Assign users to groups

Now that the Azure AD groups are in place, you will assign users for testing. Once the groups are populated, you can leverage them for assigning access to AVD resources once they are created.

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type Azure Active Directory. Select Azure Active Directory from the list.
On the Azure Active Directory page, select Groups on the left and select the AVD Persistent Desktop User group.
Select Members and + Add Members
In the search field, enter the name of a User to add Select to add them to the group.
Repeat steps 4-6 for the AVD Pooled Desktop User and AVD Remote App All Users groups.

At this point you have three new Azure AD groups with members assigned. Make a note of the group names and accounts you added for use later in this guide. These groups will be used to assign access to AVD application groups.

Exercise 3: Create an Azure Files Share for FSLogix

Duration: 90 minutes

In this exercise, you will be creating an Azure File share and enabling SMB access via Active Directory authentication. Azure Files is a platform service (PaaS) and is one of the recommended solutions for hosting FSLogix containers for AVD users. At the end of this exercise, you will have the following components:

A new storage account in your Azure subscription.
A new Azure file share for your FSLogix profile containers.
AD authentication enabled for your Azure storage account.
Permissions applied for user access to the file share.

Additional Resources


Description	Links
Windows File Server	https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile
NetApp Files	https://docs.microsoft.com/en-us/azure/virtual-desktop/create-FSLogix-profile-container
Azure Files	https://docs.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-adds

Task 1: Create a storage account

Before you can work with an Azure file share, you need to create an Azure storage account. To create a general-purpose v2 storage account in the Azure portal, follow these steps:

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type storage accounts. Select Storage accounts from the list.
On the Storage Accounts window that appears, select + Add.
Fill in the required parameters for the storage account. Refer to the following example for more information on the available parameters. Make a note that contains the values you provide for Resource group and Storage account name. These will be needed later in the exercise.

Note: The storage account name should be 15 characters or less in length.
Select Review + Create to review your storage account settings and create the account.
Select Create.

Task 2: Create an Azure file share

At the top of the Azure Portal page, in the Search resources field, type storage accounts. Select Storage accounts from the list.
On the Storage accounts blade, select the storage account you created in Task 1.
On the Overview page for your Storage account, select File shares.
On the File shares blade, select + File Share.
Enter a Name for the new file share, select Hot Tier, and select Create.

Note: The file share quota supports a maximum of 5,120 GiB and can be managed on the File shares blade.

Task 3: Enable AD authentication for your storage account

Prerequisites

The steps in this task need to be completed from a domain joined computer. The AzFilesHybrid module uses the AD PowerShell module, so running from a server is preferred.
The account used in this task needs to meet the following requirements:
- Synchronized with Azure AD.
- Permissions to create user or computer objects in Active Directory.
- Owner or Contributor rights on the Storage account.

In this task, you will be completing the steps on the Domain Controller in Azure using an account that has been assigned Global Administrator and Domain Administrator. In a production environment, you can scale this back if you meet the minimum requirements above.

Setup

From a domain joined computer, download, and unzip the AzFilesHybrid module.

Link address: https://github.com/Azure-Samples/azure-files-samples/releases
From the GitHub repository, select and download the AzFilesHybrid.zip file to the domain joined computer Documents folder.
After the download is complete, navigate to the file location in file explorer.
Extract this file to the Documents folder on the local Domain controller.
Open an elevated PowerShell ISE window by finding the PowerShell ISE icon on the desktop. Right-click on the icon and select Run as administrator.
Configure the PowerShell execution policy Unrestricted for the current user.
```
 Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
```
Navigate to where you unzipped the AzFilesHybrid. For example:
```
cd C:\Users\ADAdmin\Documents\AzFilesHybrid
```

Install the Az PowerShell module.

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
  'Az modules installed at the same time is not supported.')
} else {
Install-Module -Name Az -AllowClobber -Scope CurrentUser
}

Install the AzFilesHybrid module.
```
.\CopyToPSPath.ps1
```
Import the AzFilesHybrid module.
```
Import-Module -Name AzFilesHybrid
```
Sign in with an account that meets the prerequisites.
```
Connect-AzAccount
```
Create the following PowerShell variables replacing the subscription id, resource group name, and storage account with the information specific to your lab environment:
```
$SubscriptionId = "<subscription-id>"
$ResourceGroupName = "<resource-group-name>"
$StorageAccountName = "<storage-account-name>"
```
Note: The Resource Group Name and Storage Account Name were assigned in Task 1.

Note: You can run Get-AzSubscription to lookup the available subscription names.

Select the target subscription for the current session.

Select-AzSubscription -SubscriptionId $SubscriptionId

Register the storage account with your Active Directory domain.
```
Join-AzStorageAccount -ResourceGroupName $ResourceGroupName
```
Note: You will be prompted to enter the Azure storage account name after you run this command. The prompt will look like the screenshot below.
When the script completes, you will be provided with confirmation that you are connected to the storage account.
Confirm the object was created successfully in Active Directory Users and Computers by going to Domain controllers and looking for the computer object for Azure storage account.

Confirm that the feature is enabled.

```
$storageaccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
```

List the directory service of the selected service account.

$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

List the directory domain information if the storage account has enabled AD authentication for file shares.
```
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
```
Confirm activation with your domain by navigating to the Azure portal, going to the storage account and selecting Files shares under Data storage. Refer to the File share settings to see Configured on Active Directory (AD), as shown in the example below.

Note: You may need to navigate out of the storage account and back in for the File share settings to change.

You have now successfully enabled AD authentication over SMB and assigned a custom role that provides access to an Azure file share with an AD identity.

Task 4: Configure share permissions

There are three Azure built-in roles for granting share-level permissions to users and/or groups:

Storage File Data SMB Share Reader: allows read access in Azure Storage file shares over SMB.
Storage File Data SMB Share Contributor: allows read, write, and delete access in Azure Storage file shares over SMB.
Storage File Data SMB Share Elevated Contributor: allows read, write, delete, and modify NTFS permissions in Azure Storage file shares over SMB.

To access Azure Files resources with identity-based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this task demonstrates how to assign read, write, or delete permissions for a file share to an identity.

To simplify administration, create 4 new security groups in Active Directory to manage share permissions.

From a domain joined computer, open Server Manager, then navigate to Tools to open Active Directory Users and Computers.
Under the local domain, select Builtin and select Create a new group in the current container.
Create the following Active Directory security groups in an OU that is synchronized with Azure AD:
- AZF FSLogix Contributor
- AZF FSLogix Elevated Contributor
- AZF FSLogix Reader
- AVD Users
Add the AVD administrative account that you created previously to the group AZF FSLogix Elevated Contributor. This account will have permissions to modify file share permissions.
Type AZF FSLogix Elevated Contributor and select Check Names to verify. Select Ok to save.
Add the group AVD Users to the group AZF FSLogix Contributor by going to the Builtin groups, locating AVDUsers and right-click to Add to a group.
Add user accounts to the group AVD Users by selecting OrgUsers and choosing all the users in the list. Select all the users and right-click to add them to a group. These users will have access to use FSLogix profiles. Also be sure to add the ADAdmin user to these groups.
Wait for the new groups to synchronize with Azure AD. These groups can be verified by going to Groups within Azure Active Directory and looking for the names in the list.

With the new security groups available in Azure AD, use the following steps to assign them to your storage account in the Azure portal. This will enable you to manage share permissions using AD security groups.
In the Azure portal, in the Search resources field, type storage accounts and select Storage accounts from the list.
On the Storage accounts blade, select the Storage account you created in Task 1.
On the blade for your storage account, locate and select File shares. Then, on the File shares blade, select your file share.
Select Access Control (IAM), and then select + Add and select Add role assignment.
On the Add role assignment fly out, fill in the following options and select Save.
- Role: Storage File Data SMB Share Contributor
- Assign access to: Azure AD user, group, or service principal
- Select: AZF FSLogix Contributor
Repeat steps 3-4 for the remaining two roles.
- Storage File Data SMB Share Elevated Contributor > AZF FSLogix Elevated Contributor
- Storage File Data SMB Share Reader > AZF FSLogix Reader

Task 5: Configure NTFS permissions for the file share

After you assign share-level permissions with Azure RBAC, you must assign proper NTFS permissions at the root, directory, or file level. Think of share-level permissions as the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level.

Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows iCACLS or Set-ACL command.

The first time you configure NTFS permission, do so using superuser permissions. This is accomplished by mounting the file share using your storage account key.

Note: To complete this task, you will need to disable secure transfer in the storage account. This can be accessed from the storage account Configuration and selecting Disabled under Secure transfer required. Select Save to save the changes.

In the Azure portal, in the Search resources field, type storage accounts and select Storage accounts from the list.
On the Storage accounts blade, select the Storage account you created in Task 1.
On the blade for the file share within your storage account, select Connect. This will open the Connect blade.

Note: The base URL is also available under the Properties of the storage account itself under the File service entry.

On the Connect blade, select Drive letter Z, Storage account key for the Authentication method.
On the Connect blade for your storage account, copy the PowerShell script located in the gray text box.
From a domain joined computer, open a PowerShell and enter cd c:\users and paste the PowerShell script that you copied from the Connect blade.

cd c:\users

Note: After running the script, if you receive a CMDKEY: Credential added successfully and drive name Z appears, the script has run correctly. If this fails it may be that this is an SMB connection on port 445 and many consumer ISPs block this port by default. When you are doing this in your lab and experience issues mounting the share from a local computer, try connecting from a domain joined VM in Azure.
Open File Explorer, right-click on the Z: drive and select Properties.
On the properties window, select the Security tab and select Advanced.

Select Add and add each of the AD security groups you created in Task 4 with the appropriate permissions. Select check names as each is entered to verify the connection.

Note: The images show all the objects that need to be added but only one can be added at a time. Add one and then repeat the process until all four are added.

AD Group	NTFS Permissions	Applies to
AZF FSLogix Contributor	Modify	This folder, subfolders and files
AZF FSLogix Elevated Contributor	Full control	This folder, subfolders and files
AZF FSLogix Reader	Read & execute	This folder, subfolders and files
AVD Users	Modify (This folder only)	This folder only

Select OK to save your changes. Select Yes if you receive a Windows Security warning about removal of inherited permissions.

Task 6: Configure NTFS permissions for the containers

With the NTFS permissions applied at the root file share, you can now create the FSLogix folder structure and recommended NTFS permissions. There are many ways to create secure and functional storage permissions for use with Profile Containers and Office Container. Below is one configuration option that provides new-user functionality and doesn't require users to have administrative permissions.

In this task we will create directories for each of the FSLogix profile types and assign the recommended permissions.

Navigate to the networked drive in File explorer.
Create three new folder directories in the root share.
- Profiles
- ODFC
- MSIX
Right-click on the Profiles directory and select Properties.
On the properties window, select the Security tab and select Advanced.
Select Disable inheritance and select Remove all inherited permissions from this object.
Select Add and add AZF FSLogix Elevated Contributor. Grant Full Control and check Only apply these permissions to objects and/or containers within this container. Select OK.
Select Add and add Creator owner. Grant Full Control to Only apply these permissions to objects and/or containers within this container. Select OK.
Select Add and add AVD Users. Grant the following special permissions to Only apply these permissions to objects and/or containers within this container. Select OK.
- Traverse folder / execute file
- List folder / read data
- Read attributes
- Create folders / append data
Select OK on both property windows to apply your changes.
Repeat steps 3-9 for the ODFC directory.
Right-click on the MSIX directory and select Properties.
On the properties window, select the Security tab and select Advanced.
Select Disable inheritance and select Remove all inherited permissions from this object.
Select Add and add AZF FSLogix Elevated Contributor. Grant Full Control to Only apply these permissions to objects and/or containers within this container. Select OK.
Select Add and add AVD Users. Grant Read & execute to Only apply these permissions to objects and/or containers within this container. Select OK.
Confirm your permissions match the screenshots below.
Select OK on both property windows to apply your changes.

Your Azure Files Share is now ready for FSLogix profile containers. Copy the UNC path and add it to your FSLogix deployment (image, GPO, etc.).

Exercise 4: Create a gold image for AVD

Duration: 90 minutes

In this exercise, you are going to walk through the process of creating a gold image for your AVD host pools. The basic concept for a gold image is to start with a clean base install of Windows and layer on mandatory updates, applications, and configurations. There are many ways to create and manage images for AVD. The steps covered in this exercise are going to walk you through a basic build and capture process that includes core applications and recommended configuration options for AVD.

Additional Resources


Description	Links
Create a managed image of a generalized VM in Azure	https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource
For more information on how to deploy a virtual machine in Azure	https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal
For more information on how to setup a Bastion host in Azure	https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

Task 1: Create a new Virtual Machine (VM) in Azure

Sign in to the Azure Portal.
On the Azure portal home page, select Create a resource.
On the New page, search for Microsoft Windows 10. Select Windows 10 Enterprise multi-session, Version 1909 or higher and Create.

Note: In this exercise we are selecting a base Windows 10 image to start with and installing Office 365 ProPlus using a custom deployment script. We are also using the latest available release of Windows 10 Enterprise multi-session, but you can choose the version based on your requirements.
On the Create a virtual machine page, fill in the required fields shown below.

Note: Make a note of the Username and Password used to create the VM. This information will be required to access the VM after creation.

Note: This guide does not walk through the process of creating a VM in Azure. However, for Inbound port rules, be sure to allow RDP (3389), or have a bastion host deployed for remote access.
Select the checkbox to confirm eligible Windows 10 licensing and create the VM by selecting Review + create.
Once the VM is successfully deployed, go to the resource, and connect using RDP. Sign in using the credentials you supplied when creating the VM.
Download the RDP file and open the RDP file to connect.

Task 2: Run Windows Update

Despite the Azure support teams best efforts, the Marketplace images are not always up to date. The best and most secure practice is to keep your gold image up to date.

From your gold image VM, open the Settings app and select Updates & Security.
Install all missing updates, rebooting as necessary.

Note: After initial updates found during startup have been installed and you have rebooted the VM, check for updates again before proceeding. There may be additional updates that need to be installed.
Once the VM is fully patched, the Windows Update Settings page should resemble the following screenshot.

Task 3: Prepare an AVD image

Introduction to the script

The authors for this content have developed a scripted solution to assist in automating some common baseline image build tasks. The script includes a UI form, enabling you to quickly select which actions to perform. The result will be a custom gold image that incorporates Microsoft's main business applications, along with the necessary policies and settings for an optimized user experience.

The script and related tools are maintained in GitHub - Download Link

https://minhaskamal.github.io/DownGit/#/home?url=https://github.com/shawntmeyer/WVD/tree/master/Image-Build/Customizations

For additional documentation about the script (e.g., parameters, functions, etc.), refer to the comments in Prepare-WVDImage.ps1.

For troubleshooting script execution, refer to the following log directory on the target machine: C:\Windows\Logs\ImagePrep.

This script leverages the Local Group Policy Object (LGPO) tool in the Microsoft Security Compliance Toolkit (SCT) to apply settings in the image. The settings are documented and exported on the target machine under C:\Windows\Logs\ImagePrep\LGPO. This approach was taken to simplify troubleshooting, enabling you to leverage Group Policy Results.

The UI form offers the following actions:

Office 365 ProPlus

Install the latest version of Office 365 ProPlus monthly channel.
Apply recommended settings.
Source documentation: Install Office on a gold VHD image.

OneDrive for Business

Install the latest version of OneDrive for Business per-machine.
Source documentation: Install Office on a gold VHD image.

Microsoft Teams

Install the latest version of Microsoft Teams per-machine.
Source documentation: Use Microsoft Teams on Azure Virtual desktop.

Microsoft Edge Chromium

Install the latest version of Microsoft Edge Enterprise.
Apply recommended settings.
Source documentation: Deploy Microsoft Edge using System Center Configuration Manager.

FSLogix Profile Containers

Install the latest version of the FSLogix Agent.
Apply recommended settings.
Source documentation: Download and Install FSLogix.

OS Settings

Apply the recommended AVD settings for image capture.
Source documentation: Prepare and customize a gold VHD image.
Apply the recommended settings for capturing an Azure VM.
Source documentation: Prepare a Windows VHD or VHDX to upload to Azure.
Run Disk Cleanup.
Source documentation: cleanmgr.

Running the script

Download the .zip file to your local workstation.

https://minhaskamal.github.io/DownGit/#/home?url=https://github.com/shawntmeyer/WVD/tree/master/Image-Build/Customizations
Save the .zip file on your local workstation. Open the RDP window to your gold image VM. Save as the .zip file to the documents folder.
On the gold image VM, right-click on the .zip file on your desktop and select Extract All....
Extract the files to C:\Documents.
Open an elevated PowerShell window by searching for PowerShell on the Windows 10 VM. Right-click and run as administrator.

Navigate to "C:\Users\(loginaccount)\Documents\Customizations".

cd C:\Users\(LoginAccount)\Documents\Customizations\Prepare-WVDImage

Run the following command to allow for script execution:

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

Execute the script by running the following command:
```
.\Prepare-WVDImage.ps1 -DisplayForm
```

This will trigger the PowerShell form to launch. Select the appropriate options based on the following input information.

Select Install Office 365 to Install Office 365 ProPlus while excluding Teams, Groove, and Skype. This will enable the Email and Calendar Caching settings below.

Note: Update these settings as necessary. The Microsoft recommended settings are pre-selected. when you do not wish to apply these settings to the image, then set each to 'Not Configured'.
Select Install FSLogix Agent to install the FSLogix Agent. When you select this option, the option to specify the FSLogix User Profile Container VHD Path is enabled. When you do not want to specify this option in the image, blank out this setting.
Select Install OneDrive per Machine to install the OneDrive sync client per machine. When you select this option, it will enable the AAD Tenant ID field. Enter your tenant id here to enable silent Known Folder Move functionality in your image. When you do not want this in your image, blank out the value.
Select Install Microsoft Teams per Machine to install the per machine Teams install.
Select Install Microsoft Edge Chromium v80+ to install the Microsoft Edge Enterprise browser based on Chromium.
Select Disable Windows Update to disable Windows Update in the image.
Select Run System Clean Up (CleanMgr.exe) to execute Disk Cleanup.

With the desired options selected, select Execute.

The form will close at this point and the script will begin configuring the image. DO NOT close any of the remaining windows that appear until the script has finished execution. Doing so will interrupt the process and will require you to start over.

The script will take several minutes to complete depending on the options you selected. Additional input from you is not required during this stage, so feel free to minimize the RDP session and work on other tasks.
- When you selected to install Office 365, you will see a setup.exe window during execution.
- When you selected to install OneDrive, you will see a OneDrive window during execution.
- When you selected to run System Clean Up, you will see the Disk Cleanup wizard during execution. This window may stay on the "Windows Update Cleanup" task for a few minutes while it cleans out older files in the Windows Side by Side.
Note: This script takes some time to run, so be patient as it may seem like nothing is happening for a while, and then applications will begin to install. You can watch the status from within PowerShell. After the Disk Cleanup Wizard closes, you may notice the PowerShell window does not update. It is waiting for the cleanmgr.exe process to close, which can take some time. You can select the PowerShell window and continue to hit the up arrow on your keyboard until you are presented with an active prompt.
After the script has completed, select the Window start icon and note that Office, Microsoft Edge Chromium, and Microsoft Teams have been installed.

Once the script has completed execution, complete these final tasks:
- Delete the C:\BuildArtifacts directory.
- Delete the .zip file on your desktop.
- Empty the Recycle Bin.
- Copy the C:\Windows\Logs\ImagePrep\LGPO directory to your local workstation.
- Reboot the VM.

Task 4: Run Sysprep

After the VM has rebooted, reconnect your RDP session and sign in.
Open an administrative command prompt.
Navigate to: C:\Windows\System32\Sysprep.
```
cd C:\Windows\System32\Sysprep
```
Run the following command to sysprep the VM and shutdown:
```
sysprep.exe /oobe /generalize /shutdown
```

The system will automatically shut down and disconnect your RDP session.

Task 5: Create a managed image from the gold Image VM

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type virtual machines. Select Virtual machines from the list.
On the Virtual machines blade, locate the VM you used for your gold image and select the name.
On the Overview blade for your VM, confirm the Status shows Stopped. Select Stop in the menu bar to move it to a deallocated state.
Once complete, select Capture in the menu bar.
On the Create image wizard, fill in the required fields and Select Review + create.
Once complete, type shared image in the Search resources field at the top of the page. Select Shared image galleries from the list.
On the Shared image galleries blade, locate your image and Select the name.
On the Overview blade for your image, make note of the Name field and Resource group field. These attributes are needed when you provision your host pools.

Task 6: Provision a Host Pool with a custom image

To start provisioning a host pool with your custom image, follow the instructions in Exercise 6.
When you get to step 5 to configure Virtual machine settings, select Browse all images and disks and then select the tab option for My Items to select the image that was created.

Exercise 5: Create a host pool for personal desktops

Duration: 45 minutes

In this exercise we will be creating an Azure Virtual Desktop host pool for personal desktops. This is a set of computers or hosts which operate on an as-needed basis. In a pooled configuration we will be hosting multiple non-persistent sessions, with no user profile information stored locally. This is where FSLogix Profile Containers provide the users profile to the host dynamically. This provides the ability for an organization to fully utilize the compute resources on a single host and lower the total overhead, cost, and number of remote workstations.

Additional Resources


Description	Links
Create a host pool with the Azure portal	https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace

Task 1: Create a new Host Pool and Workspace

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Host pools and select + Create.
On the Basics page, refer to the following screenshot to fill in the required fields. Change Validation environment to Yes. Once complete, select Next: Virtual Machines.
On the Virtual Machines page, provision a Virtual machine with the Windows 10 multi-user + M365 apps. Once complete, select Next: Workspace.
For the Image, select Browse all images and disks and search to find Windows 10 Enterprise multi-session, Version 1909 + Microsoft 365 Apps and select that image.

Note: Selecting this image is very important. You will need the Microsoft 365 for assigning apps in this exercise.
On the Workspace page, select Yes to register a new desktop app group. Select Create new and provide a Workspace name. Select OK and Review + create.
On the Create a host pool page, select Create.

Task 2: Create a friendly name for the workspace

The name of the Workspace is displayed when the user signs in. Available resources are organized by Workspace. For a better user experience, we will provide a friendly name for our new Workspace.

Note: The workspace will not appear until Task 1 has completed deployment.

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Workspaces. Locate the Workspace you want to update and select the name.
Under Settings, select Properties.
Update the Friendly name field to your desired name.
Select Save.

Task 3: Assign an Azure AD group to an application group

In the new Azure Virtual Desktop ARM portal, we now can use Azure Active Directory groups to manage access to our host pools.

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Application groups.
Locate the Application group that was created as part of Task 1 (<poolName>-DAG). Select the name to manage the Application group.
Under Manage, select Assignments and select + Add.
In the fly out, enter AVD in the search to find the name of your Azure AD group. In this exercise we will select AVD Pooled Desktop Users and AAD DC Administrators.

Note: AAD DC Administrators will allow you to use your Azure tenant login to access resources in Exercise 7.
Choose Select to save your changes.

With the assignment added, you can move on to the next exercise. The users in the Azure AD group can be used to validate access to the new host pool in a later exercise.

Exercise 6: Create a host pool and assign pooled remote apps.

Duration: 45 minutes

In this exercise, you will be creating a non-persistent host pool for publishing remote apps. This enables you to assign users access to specific applications rather than an entire desktop. This type of application deployment serves many purposes and is not new to AVD, but has existed in Windows Server Remote Desktop Services for many years.

Additional Resources


Description	Links
Publish built-in apps in Azure Virtual Desktop	https://docs.microsoft.com/en-us/azure/virtual-desktop/publish-apps
Manage app groups with the Azure portal	https://docs.microsoft.com/en-us/azure/virtual-desktop/manage-app-groups

Task 1: Create a new host pool and workspace

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Host pools and select + Create.
On the Basics page, refer to the following screenshot to fill in the required fields and change Validation environment to Yes. Selecting Pooled for host pool type. Once complete, select Next: Virtual Machine.
When you configure Virtual machine settings, select Browse all images and disks and then select the tab option for My Items to select the image that was created earlier in Exercise 4.

Note: Selecting this image is very important. You will need the Microsoft 365 for assigning apps in this exercise.
On the Workspace page, select Yes to register a new desktop app group. Select Create new and provide a Workspace name. Select OK and Review + create.
On the Create a host pool page, select Create.

Task 2: Create a friendly name for the workspace

The name of the Workspace is displayed when the user signs in. Available resources are organized by Workspace. For a better user experience, we will provide a friendly name for our new Workspace.

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Workspaces. Locate the Workspace that was created for remote apps and select the name.
Under Settings, select Properties.
Update the Friendly name field to your desired name.
Select Save.

Task 3: Add Remote Apps to your Host Pool

Sign in to the Azure Portal.
Search for Azure Virtual Desktop and select it from the list.
Under Manage, select Host pools and select the host pool that you created in Task 1. Select Application groups and select Add to create a new application group.
In the Basics tab, name the application group
Select Next: Applications.
On the Applications page, select + Add Application.
On the Add Application fly out, next to Application source, select Start Menu. add the following applications, selecting Save between selections.
- Outlook
- Microsoft Edge
- Microsoft Teams
- Word
- PowerPoint
- Excel
Select Next: Assignments.
On the assignments tab, select Add assignments. Search for the AVD Remote App All Users and AAD DC Administrators created earlier in this guide and choose Select.

Note: AAD DC Administrators will allow you to use your Azure tenant login to access resources in Exercise 7.
Select Next: Workspace.
On the Workspace page, select Yes to register the application group.

Note: The Register application group field will automatically populate with the workspace name.
Select Review + Create.
Select Create.

You have successfully created a Remote App non-persistent Host Pool with published apps. You can validate this configuration when you connect to the environment in a later exercise.

Exercise 7: Connect to AVD with the web client

Duration: 30 minutes

In this exercise, you are going to walk through connecting to your AVD environment using the HTML5 web client and validating your deployment. The following operating systems and browsers are supported:

Additional Resources

There are multiple clients available for you to access AVD resources. Refer to the following Docs for more information about each client:


Description	Links
Connect with the Windows Desktop Client	https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-windows-7-and-10
Connect with the HTML5 web client	https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-web
Connect with the Android client	https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-android
Connect with the macOS client	https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-macos
Connect with the iOS client	https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-ios

Task 1: Connecting with the HTML5 web client

Open a supported web browser.
Navigate to the https://rdweb.wvd.microsoft.com/arm/webclient.

Note: You will be asked to login when you access the above URL. The credentials that you use are those from the lab.
Sign in using a synchronized identity that has been assigned to an application group.

Note: When you added the AAD DC Administrators to the groups in the previous exercises, you will be able to use your Global Administrator information. This must be a user that is synchronized with the AD DS with Azure AD Connect. To verify, go to Azure Active Directory users and verify the directory sync users.
Select an available resource from the web client. In this example we will connect to a host pool containing pooled desktop.
On the Access local resources prompt, review the available options for and select Allow.
On the Enter your credentials prompt, sign in using the same account from Step 3 and select Submit.

Note: The username and password to login to the AVD desktop will be credentials from the domain controller username and password created upon initial deployment. When you need the user email, RDP into the domain controller VM and find the user in the Active Directory Users and Groups and OrgUsers.
Once connected, validate the components relative to your configuration. The desktop should show icons for Microsoft Edge and Microsoft Teams. When you go to the Windows start menu, you can find the Office applications.

Troubleshooting

Web client stops responding or disconnects

Try connecting using another browser or client.

If issues continue even after you've switched browsers, the problem may not be with your browser, but with your network. We recommend you contact network support.

Web client keeps prompting for credentials

If the Web client keeps prompting for credentials, follow these instructions:

Confirm the web client URL is correct.
Confirm that the credentials you're using are for the Azure Virtual Desktop environment tied to the URL.
Clear browser cookies.
Clear browser cache.
Open your browser in Private mode.

Exercise 8: Setup monitoring for AVD

Duration: 45 minutes

In this exercise, you will setup monitoring for our AVD host pools. There are multiple reasons why monitoring serves a critical role: troubleshooting, performance, security, etc. There are also multiple components that make up the AVD service, which can add some variation on how customers implement monitoring (e.g., adding additional third-party solutions). By the end of this exercise, you will have the following monitoring capabilities enabled:

Diagnostic logging for the AVD service
Azure Monitor for the session host VMs
Log Analytics Monitoring Agent for the session host VMs

Additional Resources


Description	Links
Use Log Analytics for diagnostic features	https://docs.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics
Create diagnostic settings to collect resource logs and metrics in Azure	https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
PG Blog for Log Analytics Dashboard and Azure Monitor	https://techcommunity.microsoft.com/t5/windows-it-pro-blog/proactively-monitor-arm-based-windows-virtual-desktop-with-azure/ba-p/1508735
Enable monitoring for a single Azure VM	https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-single-vm#enable-monitoring-for-a-single-azure-vm
Enable Azure Monitor for VMs by using Azure Policy	https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-at-scale-policy
Enable Azure Monitor for VMs using Azure templates	https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-at-scale-powershell

Task 1: Create a Log Analytics workspace

A Log Analytics workspace is required for each of the monitoring capabilities covered in this exercise. You have the option to stream log data into different workspaces if desired. There are several factors to consider around a single workspace versus multiple. For example, RBAC controls, query performance, report development, etc. For AVD environments, it is common to have all monitor data pointing to a single dedicated workspace.

In this exercise we will create a dedicated workspace for our environment. When you already have a workspace created, move on to Task 2.

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type "log analytics". Select Log Analytics workspaces from the list.
On the Log Analytics workspaces blade, select +Add.
On the Create Log Analytics workspace blade, fill in the following information and select Review + Create.
- Subscription: Select the desired subscription for the Log Analytics workspace.
- Resource Group: Create a new resource group or select one from the list.
- Name: Enter a unique name for the workspace.
- Region: Select a region for the workspace.
Select Create.

Monitor the notification bell in the upper-right corner and wait for the deployment to complete. Once complete, move on to task 2.

Task 2: Enabling diagnostic logging for AVD

Like many other Azure services, AVD uses Azure Monitor for monitoring and alerts. To enable diagnostic data collection, you need to enable it for each ARM object that you want to monitor (e.g., Host pools, Application groups, and Workspaces). Once enabled, it can take a few hours for the data to appear in your workspace.

Each AVD ARM object has different diagnostic data categories available. For example, host pool objects will have a different set of options then Workspaces. Refer to the following table for a summary of each data category and their associated objects.


Category	Description	ARM Object(s)
Checkpoint	Specific steps in the lifetime of an activity that were reached. For example, during a session, a user was load balanced to a particular host, then the user was signed on during a connection, and so on.	Host pools, Application groups, Workspaces
Connection	When users initiate and complete connections to the service.	Host pools
Error	Are users encountering any issues with specific activities? This feature can generate a table that tracks activity data for you if the information is joined with the activities.	Host pools, Application groups, Workspaces
Feed	Can users successfully subscribe to workspaces? Do users see all resources published in the Remote Desktop client?	Workspaces
Host Registration	Was the session host successfully registered with the service upon connecting?	Host pools
Management	Track whether attempts to change Azure Virtual Desktop objects using APIs or PowerShell are successful. For example, can someone successfully create a host pool using PowerShell?	Host pools, Application groups, Workspaces

Task 3: Enable logging for host pools

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type "azure virtual desktop". Select Azure Virtual Desktop from the list.
On the Azure Virtual Desktop blade, under Manage, select Host pools.
On the Azure Virtual Desktop | Host pools blade, locate a host pool and select the name.
On the blade for your host pool, under Monitoring, select Diagnostic settings.
On the Diagnostics settings blade, select +Add diagnostic setting.
On the Diagnostic settings page, fill in the following information and select Save.
- Diagnostic settings name: Enter a name for these settings. ARM objects can have multiple diagnostic settings applied.
- Category details | log: Check the box for the logs that you want to collect.
- Destination details | Send to Log Analytics: Check this box.
  - Subscription: Select the desired subscription.
  - Log Analytics workspace: Select the desired workspace.

Task 4: Enable logging for application groups

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type "azure virtual desktop". Select Azure Virtual Desktop from the list.
On the Azure Virtual Desktop blade, under Manage, select Application groups.
On the Azure Virtual Desktop | Application groups blade, locate an application group and select the name.
On the blade for your application group, under Monitoring, select Diagnostic settings.
On the Diagnostics settings blade, select +Add diagnostic setting.
On the Diagnostic settings page, fill in the following information and select Save.
- Diagnostic settings name: Enter a name for these settings. ARM objects can have multiple diagnostic settings applied.
- Category details | log: Check the box for the logs that you want to collect.
- Destination details | Send to Log Analytics: Check this box.
  - Subscription: Select the desired subscription.
  - Log Analytics workspace: Select the desired workspace.

Task 5: Enable logging for workspaces

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type "azure virtual desktop". Select Azure Virtual Desktop from the list.
On the Azure Virtual Desktop blade, under Manage, select Workspaces.
On the Azure Virtual Desktop | Workspaces blade, locate a workspace and select the name.
On the blade for your workspace, under Monitoring, select Diagnostic settings.
On the Diagnostics settings blade, select +Add diagnostic setting.
On the Diagnostic settings page, fill in the following information and select Save.
- Diagnostic settings name: Enter a name for these settings. ARM objects can have multiple diagnostic settings applied.
- Category details | log: Check the box for the logs that you want to collect.
- Destination details | Send to Log Analytics: Check this box.
  - Subscription: Select the desired subscription.
  - Log Analytics workspace: Select the desired workspace.

At this point you should have diagnostic data enabled on at least 1 AVD ARM object of each type. To enable monitoring for additional objects, rinse and repeat the above steps.

Task 6: Enabling Azure Monitor for the session hosts

Azure Monitor is leveraged with AVD to monitor the performance and health of your session host VMs. This feature can be enabled for Azure VMs in several ways. In this exercise we will walk through enabling Azure Monitor on VMs using the Azure portal. Refer to the following links for guidance on automation.

Sign in to the Azure Portal.
At the top of the page, in the Search resources field, type "virtual machines". Select Virtual Machines from the list.
On the Virtual Machines blade, locate a session host VM and select the name.
On the blade for the virtual machine, under Monitoring, select Insights.
On the Insights blade, select Enable. This will initiate a validation check.

Note: The virtual machine must be running to enable Azure Monitor.
On the Insights setup page, fill in the following information and select Enable.
- Workspace Subscription: Select the desired subscription.
- Choose a Log Analytics Workspace: Select the workspace used in the previous task.

Monitor the notification bell in the upper-right corner and wait for the deployment to complete. This can take 5-10 minutes. Once complete, you will see the following items configured on the VM:

New VM Extensions Added. Two new extensions are added to the VM Extensions blade in Azure.

New Monitoring Agents Installed. Two new agents are installed on the VM.

Monitoring Agent Configured for Log Analytics The Microsoft Monitoring Agent is configured for your log analytics workspace.

At this point you should have Azure Monitor enabled on at least one session host VM. To enable Azure Monitor for additional session hosts, repeat the above steps. For automation, leverage Azure Policy or PowerShell to enable monitoring on multiple VMs.

Example Kusto Queries

For a list of example queries, refer to the following Docs article:

Use Log Analytics for the diagnostics feature | Example queries

Troubleshooting

Go to your Log Analytics workspace, and then select Logs. The example query UI is shown automatically.
Change the filter to Category.
Select Azure Virtual Desktop to review available queries.
Select Run to run the selected query.

Often during the deployment of AVD there may be challenges with either having machines join the domain or installing the agent via automation.

Exercise 9: Improving your AVD environment

Duration: 60 minutes

In this exercise, you will our AVD experience bay utilizing additional features or tools with the host pools. AVD is designed to be a versatile platform to distribute and build your solution from, and these optional features allow you to enhance and/or secure the environment depending on your needs. By the end of this exercise, you will have the following features enabled:

Autoscale pooled pool based on connections
Centralized Application Management (MSIX App Attach)
Protect your environment via Microsoft Defender for Endpoint

Additional Resources

Description	Links
Scale session hosts using Azure Automation	https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-scaling-script
Set up MSIX app attach with the Azure portal	https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach-azure-portal
Prepare an MSIX image for Azure Virtual Desktop	https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach-image-prep
MSIX Packaging Tool	https://docs.microsoft.com/en-us/windows/msix/packaging-tool/tool-overview
Onboard Windows 10 multi-session devices in Windows Virtual Desktop	https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device?view=o365-worldwide
Azure Cloud Shell	https://docs.microsoft.com/en-us/azure/cloud-shell/overview

Task 1: Enabling Autoscale

In this task, you will create an Azure Automation account and Logic App that will regularly update the scaling of your pool based on the number of connections. Azure Automation allows for the execution of scripts and commands with an identity related to the automation. Logic App allows for regular execution of commands and tasks. By combining these two resources, we allow for repetitive tasks of a detailed nature which will allow us to automatically increase and decrease the number of hosts in an AVD host pool based on demand of the environment.

Use PowerShell on a system with the Azure Module installed (such as from Exercise 3, Task 3).
Run the following command connect to Azure using the subscription of your AVD:
```
Connect-AzAccount
```

Use the following commands to download installation script for the Automation Account:

New-Item -ItemType Directory -Path ".\AVDTemp" -Force
Set-Location -Path ".\AVDTemp"
$Uri = "https://raw.githubusercontent.com/Azure/RDS-Templates/master/wvd-templates/wvd-scaling-script/CreateOrUpdateAzAutoAccount.ps1"
# Download the script
Invoke-WebRequest -Uri $Uri -OutFile ".\CreateOrUpdateAzAutoAccount.ps1"

Use the following to call the installation script with the appropriate parameters:

$LAWorkspace = Get-AzOperationalInsightsWorkspace | ?{ $_.name -notlike "DefaultWork*" }
$Params = @{
    "UseARMAPI"             = $true
    "Location"              = $LAWorkspace.location
    "WorkspaceName"         = $LAWorkspace.name       # Optional. If specified, Log Analytics will be used to configure the custom log table that the runbook PowerShell script can send logs to
}

.\CreateOrUpdateAzAutoAccount.ps1 @Params

Now that the Azure Automation account is created, keep the PowerShell window open in the background and go to the Azure Portal in your browser to finish the setup.
Go to the Azure Automation account.
Select Run As accounts under Account Settings.
Select Create to create a new account.

Note: This process may take a few minutes, but you can track the progress.

When it is complete, there will be a resource named AzureRunAsConnection.
Selecting the Azure Run As account, you can see the application ID, tenant ID, subscription ID, and certificate thumbprint.
Go back to the PowerShell window from earlier.

Run the following code to download a script to create the Logic App:

$Uri = "https://raw.githubusercontent.com/Azure/RDS-Templates/master/wvd-templates/wvd-scaling-script/CreateOrUpdateAzLogicApp.ps1"
# Download the script
Invoke-WebRequest -Uri $Uri -OutFile ".\CreateOrUpdateAzLogicApp.ps1"

Run the following code to use the script to create your Logic App:

$AADTenantId = (Get-AzContext).Tenant.Id

$AzSubscription = (Get-AzContext).Subscription

$ResourceGroup = Get-AzResourceGroup  "AVDAutoScaleResourceGroup"

$AVDHostPool = Get-AzWvdHostPool | ?{ $_.HostPoolType -eq "Pooled" } | Select -First 1 | Get-AzResource

$LogAnalyticsWorkspaceId = $LAWorkspace.CustomerId.Guid
$LogAnalyticsPrimaryKey =  ($LAWorkspace | Get-AzOperationalInsightsWorkspaceSharedKey).PrimarySharedKey
$RecurrenceInterval = 15
$BeginPeakTime = "09:00"
$EndPeakTime = "18:00"
$TimeDifference = "-7:00"
$SessionThresholdPerCPU = 2 #this number is abnormally low for the lab; this is not what you would use in most production environments
$MinimumNumberOfRDSH = 1
$MaintenanceTagName = "NoScaling"
$LimitSecondsToForceLogOffUser = 1 #this number is abnormally low for the lab; this is not what you would use in most production environments
$LogOffMessageTitle = "Automation Log Off for Scaling"
$LogOffMessageBody = "To improve resource utilization we need to move your session to a new host. Please save your work and log back in to AVD continue working on a new host. For assistance, please contact the Help Desk."

$AutoAccount =  Get-AzAutomationAccount -Name "AVDAutoScaleAutomationAccount" -ResourceGroupName $ResourceGroup.ResourceGroupName
$AutoAccountConnection = Get-AzAutomationConnection -ResourceGroupName $AutoAccount.ResourceGroupName -AutomationAccountName $AutoAccount.AutomationAccountName | Select -first 1

$WebhookURIAutoVar = Get-AzAutomationVariable -Name 'WebhookURIARMBased' -ResourceGroupName $AutoAccount.ResourceGroupName -AutomationAccountName $AutoAccount.AutomationAccountName

$Params = @{
    "AADTenantId"                   = $AADTenantId                             # Optional. If not specified, it will use the current Azure context
    "SubscriptionID"                = $AzSubscription.Id                       # Optional. If not specified, it will use the current Azure context
    "ResourceGroupName"             = $ResourceGroup.ResourceGroupName         # Optional. Default: "AVDAutoScaleResourceGroup"
    "Location"                      = $ResourceGroup.Location                  # Optional. Default: "West US2"
    "UseARMAPI"                     = $true
    "HostPoolName"                  = $AVDHostPool.Name
    "HostPoolResourceGroupName"     = $AVDHostPool.ResourceGroupName           # Optional. Default: same as ResourceGroupName param value
    "LogAnalyticsWorkspaceId"       = $LogAnalyticsWorkspaceId                 # Optional. If not specified, script will not log to the Log Analytics
    "LogAnalyticsPrimaryKey"        = $LogAnalyticsPrimaryKey                  # Optional. If not specified, script will not log to the Log Analytics
    "ConnectionAssetName"           = $AutoAccountConnection.Name              # Optional. Default: "AzureRunAsConnection"
    "RecurrenceInterval"            = $RecurrenceInterval                      # Optional. Default: 15
    "BeginPeakTime"                 = $BeginPeakTime                           # Optional. Default: "09:00"
    "EndPeakTime"                   = $EndPeakTime                             # Optional. Default: "17:00"
    "TimeDifference"                = $TimeDifference                          # Optional. Default: "-7:00"
    "SessionThresholdPerCPU"        = $SessionThresholdPerCPU                  # Optional. Default: 1
    "MinimumNumberOfRDSH"           = $MinimumNumberOfRDSH                     # Optional. Default: 1
    "MaintenanceTagName"            = $MaintenanceTagName                      # Optional.
    "LimitSecondsToForceLogOffUser" = $LimitSecondsToForceLogOffUser           # Optional. Default: 1
    "LogOffMessageTitle"            = $LogOffMessageTitle                      # Optional. Default: "Machine is about to shutdown."
    "LogOffMessageBody"             = $LogOffMessageBody                       # Optional. Default: "Your session will be logged off. Please save and close everything."
    "WebhookURI"                    = $WebhookURIAutoVar.Value
}

.\CreateOrUpdateAzLogicApp.ps1 @Params

After this script completes, go back to the Azure Portal.
Find the Logic App that was created by the script.
Select the Logic app designer link under Development Tools, you will see the graphical representation of the workflow created by the script.
You can select Recurrence to change how often the script runs.
Select the Run button to trigger the scaling immediately.
View the occurrences of your runs by going back to the Overview of the Logic App.

At this point, your AVD Host Pool that is Pooled will spin up and down hosts based on the load of the environment.

Task 2: Utilizing Application Packages (MSIX)

In this task, you will take a MSIX package created from the MSIX packaging tool and utilize the Azure portal to attach the MSIX package dynamically to AVD pools as users login. MSIX Packages are disk images containing all files, configurations, and publication details needed to run supported applications that can be mounted by Windows systems on the fly to allow users to run the application without having to install the application to the host machine. By utilizing this technique, we can minimize the footprint and management needs of the AVD hosts while still utilizing multiple applications on the systems without installing the applications permanent on the system.

Go to the Azure Portal.
Go to the Storage Account created in Exercise 3 for the FSLogix profiles that was already joined to Active Directory.
Select the File shares under data storage and select the share created for AVD files.
Select the + Add directory button to create a new folder and name it msix.

Note: Normally in production you would create an additional share for MSIX files and place the files there. You would need to make sure the share or container the MSIX files are in you follow the same steps you use for the FSLogix storage account and apply the appropriate permissions to them (users normally only need Read access) and make sure there is enough room to store them. We are placing it on the same share for this exercise for expediency sake and easier setup. It is not uncommon to have a central MSIX storage with permissions to each MSIX file based on groups assigned to the appropriate application and the MSIX repository used by multiple pools or deployments, but ensure network connectivity and speed are kept consistent.
Take note of the storage account (i.e.: dncloudavdstorage ) and the name of the file share (i.e.: labavdfileshare).
Open a PowerShell window with the Azure Module installed and connect to the Azure subscription with this command if it is not already connected:
```
Connect-AzAccount
```

Run this command to upload the MSIX file to the folder:

$SAName = Read-Host "What is the name of the storage account with AVD file shares? (ie: mystorageacct1592)" # Provide the name to the storage account here instead of prompting
$SAShare = Read-Host "What is the name of the file share in the storage account used for AVD? (ie: labavdfilesshare)"

$sa = Get-AzStorageAccount | ? StorageAccountName -eq $SAName
$SAS = New-AzStorageAccountSASToken -Context $sa.Context -Service File -ResourceType Object -Permission rwd -Protocol HttpsOnly -ExpiryTime ((Get-Date).AddHours(4))

.\azcopy.exe copy 'https://openhackpublic.blob.core.windows.net/windows-virtual-desktop/msix/MCW-WVD-MSIX.vhd' "https://$($sa.StorageAccountName).file.core.windows.net/$SAShare/msix/MCW-WVD-MSIX.vhd$SAS"

"\\$($sa.StorageAccountName).file.core.windows.net\$SAShare\msix\MCW-WVD-MSIX.vhd" | scb
Write-Output "Use the path [\\$($sa.StorageAccountName).file.core.windows.net\$SAShare\msix\MCW-WVD-MSIX.vhd] later in this exercise"
pause

Find the Azure Virtual Desktop resources.
Select the Host pools and select the Pooled host pool.
Select the Pooled host pool.
Go to MSIX packages under the Manage section and select + Add to add an MSIX package to the pool.
In the MSIX image path, put the following path replacing <storageacctname> with the name over the Storage Account and <shareName> with the share that holds the MSIX above:
```
\\<storageacctname>.file.core.windows.net\<shareName>\msix\MCW-WVD-MSIX.vhd
```
Select the MSIX Package to add.
Ensure there is an application listed under Package applications.
For Registration type, select On-demand registration.
Under State, select Active.
Select Add to add the package.
Go to the Application groups and select remoteapps.
Select + Add to add an application.
Choose MSIX package from the Application source.
Select the MSIX package and MSIX application you just added.
Ensure the Application name matches the name.
Select Save to include
Go to the AVD Web Client (or AVD client if installed locally).
Select the new application icon to launch the application (refresh the page if the new application does not show up).

This application is now running on the host pool although the application itself is not installed to the host system. This allows for the application to also be updated by changing which MSIX package the application points to and the next time a user logs into the application.

Task 3: Protect AVD with Microsoft Defender for Endpoint

In this task, you will enable Microsoft Defender for Endpoint service and deploy the endpoint protection via Azure. This will allow for all systems to be protected by the Microsoft Defender for Endpoint service from potential vulnerabilities and alert in the event of suspicious execution or activity.

Note: This will require signing up for Azure Defender trial on your subscription. If this is a Visual Studio subscription or you do not want to sign up for the time trial yet, you will need to wait and deploy this when you can sign up for the Azure Defender trial.

Go to the Azure Portal.
Open the Azure Security Center (ASC) service.
Go the Azure Defender under the Cloud Security section.
Select Enable Azure Defender to setup the trial edition of Azure Defender for your subscription.
Go back to Azure Defender.
Under the Advanced protection section, select VM vulnerability assessment where it lists the unprotected count of systems.
Check the boxes next to all the VMs that host the AVD Host pools.
Select Fix to proceed to deployment of the agent.
Select the Qualys agent for deploying to Azure Defender and select Proceed.
Select Fix X resources to begin the deployment of the agent.

This will begin deploying Azure Defender to the Virtual Machines currently deployed. Depending on your AVD environment, you can deploy them to systems as they are added to your domain in the AVD OU by utilizing Group Policies using the domain group policy scenario. Another option when your host is not persistent or deployed from an image, is to use the instructions for onboarding non-persistent VDI devices.

After the hands-on lab

Duration: 15 minutes

Task 1: Delete Resource groups to remove lab environment

Go to the Azure portal.
Go to your Resource groups.
Select the Resource groups you created.
Select Delete Resource group.
Enter the name of the Resource group and select Delete.
Repeat these steps for all Resource groups created for this lab, including those for Azure Monitor and Log Analytics.

You should follow all steps provided after attending the Hands-on lab.

Files

HOL step-by-step - Implementing Azure Virtual Desktop in the enterprise.md

Latest commit

History

HOL step-by-step - Implementing Azure Virtual Desktop in the enterprise.md

File metadata and controls

Implementing Azure Virtual Desktop for the enterprise hands-on lab step-by-step

Abstract and learning objectives

Overview

Solution architecture

Requirements

Before the hands-on lab

Troubleshooting

Exercise 1: Configuring Azure AD Connect with AD DS

Task 1: Connecting to the domain controller

Task 2: Disabling IE Enhanced Security

Task 3: Creating a domain admin account

Task 4: Configuring Azure AD Connect

Exercise 2: Create Azure AD groups for AVD

Task 1: Creating Azure AD groups

Task 2: Assign users to groups

Exercise 3: Create an Azure Files Share for FSLogix

Task 1: Create a storage account

Task 2: Create an Azure file share

Task 3: Enable AD authentication for your storage account

Task 4: Configure share permissions

Task 5: Configure NTFS permissions for the file share

Task 6: Configure NTFS permissions for the containers

Exercise 4: Create a gold image for AVD

Task 1: Create a new Virtual Machine (VM) in Azure

Task 2: Run Windows Update

Task 3: Prepare an AVD image

Task 4: Run Sysprep

Task 5: Create a managed image from the gold Image VM

Task 6: Provision a Host Pool with a custom image

Exercise 5: Create a host pool for personal desktops

Task 1: Create a new Host Pool and Workspace

Task 2: Create a friendly name for the workspace

Task 3: Assign an Azure AD group to an application group

Exercise 6: Create a host pool and assign pooled remote apps.

Task 1: Create a new host pool and workspace

Task 2: Create a friendly name for the workspace

Task 3: Add Remote Apps to your Host Pool

Exercise 7: Connect to AVD with the web client

Task 1: Connecting with the HTML5 web client

Exercise 8: Setup monitoring for AVD

Task 1: Create a Log Analytics workspace

Task 2: Enabling diagnostic logging for AVD

Task 3: Enable logging for host pools

Task 4: Enable logging for application groups

Task 5: Enable logging for workspaces

Task 6: Enabling Azure Monitor for the session hosts

Exercise 9: Improving your AVD environment

Task 1: Enabling Autoscale

Task 2: Utilizing Application Packages (MSIX)

Task 3: Protect AVD with Microsoft Defender for Endpoint

After the hands-on lab

Task 1: Delete Resource groups to remove lab environment